Understanding 3 month cert

My domain is: ezproxy.gc.cuny.edu
My web server is (include version): ezproxy
The operating system my web server runs on is (include version): [sklein@ldv2 ~]$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): returns uknown

I run a proxy server called EZproxy and the sys-admin that ran the servers left, so trying to understand the cert setup.
EZproxy is a webserver, analogous to Apache, but certs are created and managed within the application:https://help.oclc.org/Library_Management/EZproxy/Secure_your_EZproxy_server/010SSL_configuration
Furthermore, EZproxy is a SAML service provider so I need to send cert metadata to the IDP identity provider. See steps 5-6:

So my question is why does my SAML setup continue to work, although the IDP folks have metadata for the previous cert, the cert that existed before August?

I know this is convoluted and I appreciate your assistance.

If you can confirm that the cert in use is expired, then I can only think that the service using that cert is not checking the validity dates on the cert - it only uses it for encryption.
Which, if that is the case, you could easily use any cert for that purpose [even a self-signed cert].


Thank you. Pre-Let's Encrypt days, when we were using digi-cert it seemed like we needed to renew before expiration so assuming it it checking for validity dates.

Looking at your cert history (crt.sh | ezproxy.gc.cuny.edu), it seems like your LE cert was automatically renewing just fine every 2 months (which is the advice from LE), until now. It should have renewed around 2023-08-21, but didn't. Unless crt.sh has a backlog of almost 2 weeks :roll_eyes:

So something isn't quite right.

1 Like

I think my sys admin would run the cron job ~30 days before expiration.

Also, what is crt.sh and what might not be quite right? Could you translate this for me?

1 Like

It's a web site [https://crt.sh/] operated by Sectico.
The site name is intended to be an abbreviation of "Certificate Search".
You can use it to search for certificates issued by any CA.


@Osiris meant that crt.sh can sometimes be delayed about showing certs. But, that 2 week delay is, um, unlikely.

However, I see your Aug21 cert using a different system (censys.io) so it looks like crt.sh is problematic. Especially since your web server is using this Aug21 cert we know it is valid.

Aside: Sometimes crt.sh changes how it selects the certs to show. Maybe different search terms are needed to see multi-domain certs? Just guessing.


There is more information in this forum topic on the various Certificate Transparency systems people here are using to try to look up what certificates exist for that domain, if that's helpful:


Ah, didn't check that on my phone, nevermind my previous reply then :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.